Role granting issue

Similar Messages

• Grants issue !!

  Hi,
  O/S : HP Unix
  DB : 11.2.0.3
  Server Source_A : Let's say i have user with the name 'Rob' and this user has been assigned a role 'MY_SRC_ROLE' .
  I developed a table under rob schema and granted access to this table via role
  GRANT DELETE, INSERT, SELECT, UPDATE ON rob.emp TO MY_SRC_ROLE;
  I have 100 more users & they have been granted this role 'MY_SRC_ROLE'. These 100 users can now access emp table via Role 'MY_SRC_ROLE' without any issues.
  Now i took a datapump export & performed datapump import on target server which is also HP Unix with 11.20.3 . On target server i have user 'JACK' and a role called 'MY_WORK_ROLE'. 5000 users have been granted 'MY_WORK_ROLE' on this server.
  I have used remap tablespace clause & remap schema clause in datapump import script. Once i performed an import , due to schema remap , i can see JACK now owns table 'emp', however grants are still not there, I tried searching on google & oracle documentation, if somehow we can remap ROLE GRANTS also while doing datapump imp, but i couldn't find supporting syntax. Am i missing something or probably can i assume datapump import is not capable to handle this particular scenario ? I was able to do it by manipulating sqlfile and replacing role name in that but i am looking for a sol. within datapump itself.
  So bottom line how can grants assigned to ROLE 'X' be transferred to 'Role Y' via datapump import.
  Let me know, if any any additional details are required.
  -Learner    

  Hi,
  AFAIK, you can not remap/rname the roles. you can generate the Dynamic script and Apply on Target
  something like that
  spool role_target.sql
  select 'grant '|| PRIVILEGE || ' MY_WORK_ROLE;' from dba_sys_privs where GRANTEE='MY_SRC_ROLE';
  spool off
  @role_target.sql
  HTH

• Missing Role Grants after datapump

  Hello OTN-Community,
  I have a problem with datapump. I am using some include filters to get the relevant data exported. One of these filters inlcudes the ROLES of my database which starts with a certain expression.
  After the export into another database these roles exists but all of the role grants and the grants to other users misses. The object grants are exported correctly.
  What am I doing wrong?
  The export script:
  declare
  /*some declare specification are not copyed*/
  cursor curSchema is
  select
  distinct
  t.Mdbn_Name Name
  from
  ProphetMaster.Dat_MdBn t
  where
  Upper(t.MDBN_Name) not in ('****', '***');
  begin
  -- Schemas festlegen
  SchemaList := '''****'',''***''';
  if ExportAllProphetUsers then
  for recSchema in  curSchema loop
        SchemaList := SchemaList||','''||recSchema.Name||''''; 
  end loop;
  end if;
  -- Dateigröße
  FileSizeStr := to_char(MaxFileSize)||'M';
  -- Verzeichnis
  DirectoryName := 'PHT_PUMP_DIR';
  execute immediate  'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||''''; 
  -- JobName
  JobName := 'PHT_EXPORT'||DateStr;
  -- Filename
  if not FilenameWithDateTime then
  DateStr :='';
  end if;
  Filename := 'PHTDB'||DateStr||'_%U.DMP';
  Logfilename := JobName||'.LOG';
  -- Job festlegen und Ausführen
  h1 := dbms_datapump.open (operation => 'EXPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
  dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
  dbms_datapump.add_file(handle => h1, filename =>  Logfilename, directory => DirectoryName, filetype => 3);
  dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
  --10g
  --dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1);
  --11g
  dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1, reusefile =>OverwriteFiles);
  dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
  dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
  -- Include Schemas
  --dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
  dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
  dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''DATABASE_EXPORT/SCHEMA'')');
  --Include Profiles
  dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''PROFILE_%''', object_type => 'PROFILE');
  dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''PROFILE'')');
  --Include Roles  
  dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''***%''', object_type => 'ROLE');
  dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''ROLE'')');
  -- Größenabschätzung
  dbms_datapump.set_parameter(handle => h1, name => 'ESTIMATE', value => 'BLOCKS');
  --Start Job
  dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
  dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
  -- Wait for ending and finishing job
  dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
  dbms_output.put_line('Job has completed');
  dbms_output.put_line('Final job state = ' || job_state);
  dbms_datapump.detach(handle => h1);
  The Import Script:
  begin
  dbms_output.Enable(buffer_size => null);
  -- Verzeichnis
  DirectoryName := 'PHT_PUMP_DIR';
  execute immediate  'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||''''; 
  -- JobName
  JobName := 'PHT_IMPORT'|| to_char(sysdate,'_yyyy-MM-DD-HH24-MI');
  --FileNames
  Filename    := 'PHTDB'||FileNameDateStr||'_%U.DMP';
  LogFilename := JobName||'.LOG';
  h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
  --Wenn der Datapumpimport auf einer Standardversion ausgeführt wird, muss diese Aufrufzeizeile genutzt werden   
    --h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => '10.2');
  dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
  dbms_datapump.add_file(handle => h1, filename =>  Logfilename, directory => DirectoryName, filetype => 3);
  dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
  dbms_datapump.add_file(handle => h1, filename =>  Filename, directory => DirectoryName,  filetype => 1);
  dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
  dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
  dbms_datapump.set_parameter(handle => h1, name => 'REUSE_DATAFILES', value => 0);
  dbms_datapump.set_parameter(handle => h1, name => 'TABLE_EXISTS_ACTION', value => 'REPLACE');
  dbms_datapump.set_parameter(handle => h1, name => 'SKIP_UNUSABLE_INDEXES', value => 0);
  --Start Job
  dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
  dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
  -- Wait for ending and finishing job
  dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
  dbms_output.put_line('Job has completed');
  dbms_output.put_line('Final job state = ' || job_state);
  dbms_datapump.detach(handle => h1);

  Has no one any idea?

• Find the roles granted on tables in oracle 10g

  Hi,
  I need to find what roles granted to what tables in a schema. I try to query dba_tab_privs but this will give what roles granted to tables, but i want to find what tables are missing these roles in a schema?
  any help is appreciated.
  Thanks...

  789287 wrote:
  i have another scenario where i have 2 different schemas such as TEST_A ans TEST_B. here TEST_B. at TEST_B user have 2 roles B_query and b_update and granted these roles to TEST_B user.
  TEST_A need to access the TEST_B objects, when i grant the A_QUERY, A_UPDATE to TEST_A user. then i login as TEST_A user to access the TEST_B objects gets an eror object doesn't exist.
  i dont want to grant privileges directly on to the TEST_B objects to TEST_A user. is there anyway i can accomplish this through the role?
  i thought it would appropriate to ask the question here rather opening a thread.
  Thanks...consider to actually post the actual SQL & complete error response from Oracle.
  How do I ask a question on the forums?
  SQL and PL/SQL FAQ

• Script for Users, Roles,Grant,Tablespace

  Hi,
  Please guide me on the following .
  I am moving database to new Unix server .
  so can I create the script which will check the existing Users, Roles, Grants, Tablespaces from current database and store that data.
  And using same soared data I want to create the same " Users, Roles, Grants, Tablespaces" using the script.
  Can i do this. Please guide me how to do this so I will help me to move database
  Thanks,
  Amol

  You should run ?\rdbms\admin\utlrp (note the ?, which is shorthand for ORACLE_HOME) from the database server. to make sure you have the correct script. You can call sqlplus from Toad easily.
  The script affects PL/SQL only. PL/SQL resides in the SYSTEM tablespace in the SYS schema. You don't have 400G of PL/SQL. It should take a few minutes only.
  The SYSTEM schema WILL be imported. SYS will not be imported, but automagically recreated. The only thing you will miss is Grants which have been made by SYS directly to end-users or roles, outside those defined in catalog.sql
  Sybrand Bakker
  Senior Oracle DBA

• Role migrate issue

  When I migrate some Roles from portal nw04 to nw04s, the roles have issue.
  The issue is when I assign these role into some user, the role doesn't work.
  My solution is I go to Content Administrator>xxx role>Change ID then the role is working for user.
  I don't know why I need to do this process when I migrate role.
  Anybody know why?

  It's possible I'm not being very clear as I think you have misunderstood it.  The Hyper-V hosts are fine and their access to the iSCSI CSV is functional.  The problem is the VMs throw up this error when I add a Shared VHDx that is stored on the
  Hyper-V Hosts CSV. 
  Hyper-V Host cluster 'HVCLLAB1' with an iSCSI CSV e.g. C:\ClusterStorage\Volume1.  This is all fine.
  Two virtual file servers in a cluster 'FSCL1'
  The quorum and storage disks for the virtual file server cluster are Shared VHDx that are stored in the 'HVCLLAB1' CSV.  They are added to the virtual file servers through Failover Cluster Manager running on one of the Hyper-V Hosts.
  I hope that makes sense.
  I think I got it.
  You are nesting the VHDX files _within_ the cluster guests?
  If that is the case then the cluster would not be online until after the guests finish their own boot and initialization processes.
  Chicken and the egg.
  Essential cluster resources like the witness disk should be direct attached to an iSCSI LUN not nested within the guest workloads.
  Guest clusters are possible but the focus would be on the workloads they would be running internal to themselves.
  I hope I have things correct this time around. Essentially, putting your cluster witness disk within the guest workloads is not a good practice.
  Philip Elder Microsoft Cluster MVP Blog: http://blog.mpecsinc.ca

• Grant issue with Monitoring Sessions

  I've searched high and low for the answer to this. I get an error when trying to Monitor Sessions (table/view don't exist) and that I need select grants on these objects:
  V$SESSION to beadiadbo, V$PROCESS, V$SESS_IO, V$SESSION_WAIT, V$SESSION_EVENT, V$ACCESS, V$SESSSTAT, V$STATNAME, V$OPEN_CURSOR, V$SQL, V$LOCK, V$SESSION_LONGOPS, SYS.V_$TRANSACTION, SYS.V_$ROLLNAME, V$SQLTEST_WITH_NEWLINES
  I've given SELECT grant to the user, but still get the error. Am I missing any other privileges?
  Much appreciated,
  Adam

  Hi Adam,
  According to the following forum search hit (monitor AND sessions), try GRANT SELECT ANY DICTIONARY:
  Monitor Sessions
  MONITOR SESSIONS on a user with just CONNECT, RESOURCE role grants will fail. Adding SELECT ANY DICTIONARY fixes it.
  Getting any finer grained than that gets hairy, e.g., doing a sql trace on your session to see which dictionary views get referenced.
  Regards,
  Gary Graham
  SQL Developer Team

• Expdp users, roles, grants (privs)

  (sorry for the cross-posting - I'm not sure how to delete or move threads and I posted this in the general questions forum thinking I was in this forum)
  So, I think this works - still in the process of testing - but what I want to do is the following:
  1) Export ONLY users, passwords, and privs from TEST
  2) Clone PROD --> TEST
  3) Drop all users in TEST excluding system users.
  4) Import original users file from Step 1.
  I think I've got it with the following. Am I missing anything? I'm testing, but if someone else has done this, I would be happy to hear from something I may be missing.
  JOB_NAME=EXPDP_USERS
  DIRECTORY=DTPUMP
  REUSE_DUMPFILES=Y
  FULL=Y
  DUMPFILE=users_test.dmp
  LOGFILE=users_test_expdp.log
  INCLUDE=SCHEMA:"IN (SELECT USERNAME FROM dba_users where default_tablespace NOT in('SYSAUX','SYSTEM'))",ROLE,USER,SYSTEM_GRANT,ROLE_GRANT,DEFAULT_ROLE,TABLESPACE_QUOTA

  Pl do not post duplicates - expdp users, roles, grants (privs)

• Enterprise Role grants in jazn-data fail for AD Provider User Accounts?

  Hello All,
  I have enterprise roles defined within my jazn-data.xml for my 11.1.1.4 web application. We just recently switched user accounts over to an active directory provider for authentication. So, I have user accounts associated with the active directory provider that are assigned to my enterprise roles. This is working fine because all of my EL expressions of the form #{securityContext.userInRole['EnterpriseRoleName']} are working great.
  However, all of the grants in jazn-data.xml for pages that should only be viewable by users with this role are now not working. Users with this role see a "Internal Server 500" error with the message "oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed", rather than the related pages. This all used to work when the user accounts were not coming from the active directory provider.
  As a work around, I've had to grant test-all view access to all pages, but hide controls and portions of pages that non-authorized users should see using EL like what I printed above.
  This can't be right. Why are AD user accounts treated differently by WebLogic Server, when the security context indicates that the user has the proper role?
  Thanks

  Haha... nice one. This is a low-key production app that is internal to this company. I can't have users with AD accounts, who used to have WLS internal accounts when the jazn grants worked, just stop using the application until some solution comes about. It may take days. I don't understand why you would leave such an unhelpful comment and then leave the discussion. Is this a precedence that you want set within your forum? Please help me to understand why this is a bad workaround. I'm just at the beginning of trying to figure out the root cause of this issue. A search didn't reveal any obvious answers, so I thought I'd reach out to my knowledgeable ADF friends on the forum to see if this was something that could easily be fixed.
  Back to your comment -- why is this a mistake? I have always used the rendered attribute value to hide navigation points to pages that are supposed to be accessible to users with the enterprise role (e.g. rendered="#{securityContext.userInRole['EnterpriseRoleName']}"). This still works fine in the context of this problem, because the security context is working properly -- it's picking up user membership to enterprise roles. It's the jazn grants that are not working for the AD provider related users.
  In this context, if some really smart user guesses the URL of a page I don't want them on because they don't have the role, then why can't I simply set rendered="#{securityContext.userInRole['EnterpriseRoleName']}" on the PGL that presents the body of the page? The content of the page isn't rendered. That's the point of the "rendered" attribute, right? Better yet, I could have a nice message that says that aren't authorized to view the page, rather than put a Java stack trace in their face. Why, then, as a temporary workaround, is this such a bad idea?
  Thank you "sameera.sac" for the links. I'd seen the first one before posting and it wasn't pertinent. But I'll certainly research the others you provided.
  Thanks

• Asking for ROLES granted to the current user

  I am trying to trigger an ALTER SESSION SET NLS_DATE_FORMAT ... for users in a particular database role. I can write some PL/SQL which properly captures a user's roles. When the same code isinvoked from a LOGON trigger, though, it doesn't find any roles:
  SQL> create global temporary table hold_roles (role varchar2(30));
  Table created.
  SQL> create or replace
    2  package          oper_logon_trigger_pg_delete
    3    authid current_user
    4  as
    5    procedure MAIN;
    6  end oper_logon_trigger_pg_delete;
    7  /
  Package created.
  SQL> create or replace
    2  package body          oper_logon_trigger_pg_delete
    3  as
    4 
    5    procedure MAIN
    6    is
    7      l_str varchar2(4000);
    8    begin
    9      for row in (select granted_role from user_role_privs)
  10      loop
  11        insert into hold_roles values (row.granted_role);
  12      end loop;
  13     
  14    end MAIN;
  15   
  16  end oper_logon_trigger_pg_delete;
  17  /
  SQL> exec oper_logon_trigger_pg_delete.main;
  PL/SQL procedure successfully completed.
  SQL> select * from hold_roles;
  ROLE
  CKR_REPOS_MANAGER
  CONNECT
  DBA
  PLUSTRACE
  SQL> CREATE OR REPLACE TRIGGER LOGON_ALT
    2  AFTER LOGON ON DATABASE
    3 
    4  BEGIN
    5   
    6    OPER_LOGON_TRIGGER_PG_DELETE.MAIN();
    7 
    8  END LOGON_ALT;
    9  /
  Trigger created.
  SQL> disconnect
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - 64bit Production
  With the Partitioning, OLAP and Data Mining options
  SQL> connect r25u7@dev
  Enter password: **********
  Connected.
  SQL> select * from hold_roles;
  no rows selectedWhy the difference in behavior? Same code, just one is called directly, vs from a LOGON trigger...
  Thanks,
  --=Chuck

  chuckers wrote:
  How does that circumvent the concept that " First trigger is fired and roles are not included into context."?
  Won't the same fundamental problem be true if I just move that code directly into the trigger?OK. I will explain it in details. Trigger, as I already mentioned, is always executed with definer rights which means it is executed on trigger owner's behalf. Now package has AUTHID CURRENT_USER which means it will be executed on package caller's behalf. And since your package is called from the trigger, package is executed on trigger owner's behalf, not on logon user's behalf. As a result, querying USER_ROLE_PRIVS will go against trigger owner's roles. So you are querying wrong user's roles. As you can see, you can't use user_role_privs. That is why you need to go against DBA_ROLE_PRIVS (and do not forget to grant select on DBA_ROLE_PRIVS directly to trigger owner). Your second issue is GTT. AFAIK after logon trigger is executed aftr user is logged in but before session is fully instantiated and GTT does not work yet. Anyway:
  SQL> connect sys/******** as sysdba
  Connected.
  SQL> grant select on dba_role_privs to scott
    2  /
  Grant succeeded.
  SQL> connect scott/******
  Connected.
  SQL> drop role CHANGE_NLS_DATE_FORMAT
    2  /
  Role dropped.
  SQL> create role CHANGE_NLS_DATE_FORMAT
    2  /
  Role created.
  SQL> grant CHANGE_NLS_DATE_FORMAT to u1
    2  /
  Grant succeeded.
  SQL> drop table hold_roles
    2  /
  Table dropped.
  SQL> create table hold_roles(role varchar2(30))
    2  /
  Table created.
  SQL> grant insert,select on hold_roles to public
    2  /
  Grant succeeded.
  SQL> create or replace
    2  package oper_logon_trigger_pg_delete
    3    authid current_user
    4  as
    5   procedure MAIN;
    6  end oper_logon_trigger_pg_delete;
    7  /
  Package created.
  SQL> create or replace
    2  package body          oper_logon_trigger_pg_delete
    3  as
    4    procedure MAIN
    5    is
    6      l_str varchar2(4000);
    7    begin
    8      for v_rec in (select granted_role from dba_role_privs where grantee = user)
    9      loop
  10        insert into hold_roles values(v_rec.granted_role);
  11      end loop;
  12    end MAIN;
  13  end oper_logon_trigger_pg_delete;
  14  /
  Package body created.
  SQL> CREATE OR REPLACE
    2    TRIGGER LOGON_ALT
    3      AFTER LOGON ON DATABASE
    4      BEGIN
    5          OPER_LOGON_TRIGGER_PG_DELETE.MAIN();
    6  END LOGON_ALT;
    7  /
  Trigger created.
  SQL> truncate table hold_roles
    2  /
  Table truncated.
  SQL> connect u1/****
  Connected.
  SQL> select * from scott.hold_roles
    2  /
  ROLE
  CHANGE_NLS_DATE_FORMAT
  SQL> select granted_role from user_role_privs
    2  /
  GRANTED_ROLE
  CHANGE_NLS_DATE_FORMAT
  SQL> SY.
  P.S. Now, when the issue is explained, you could simplify whole thing. You do not need package at all. Just create the trigger:
  CREATE OR REPLACE
    TRIGGER LOGON_ALT
      AFTER LOGON ON DATABASE
      BEGIN
          insert into hold_roles
            select granted_role from dba_role_privs where grantee = user;
  END LOGON_ALT;
  /

• Object granting issues 11g

  We are in the process of migrating to 11.2.0.2 RAC/ASM on new hardware from 10.2.0.4 RAC/OCFS2 ... as such I am migrating my entire database using Data Pump Export/Import. Everything seems to have come over fine and the only errors I see in my import logs are related to objects already existing in the SYS schema. Now to my issue ...
  I have an object GN.UNPOST_JOURNAL_ENTRY ... execute rights on this object have been given to the role GL_ADMIN. This role has been then granted to my non admin SCARLSON user account. In our 10.2.0.4 system this works just fine ... but in our 11g system I am unable to execute this procedure. In fact the only way I am able to see the procedure is to grant my SCARLSON account execute rights directly or grant my SCARLSON account the system privelege of "EXECUTE ANY PROCEDURE" ...
  I have already completely deleted DB instance, recreated my instance, ran my export/import, removed the object, roles, groups, and grants no less than 20 times at this point with the same results ... has anyone ran into this issue before or does anyone have an idea of what to start looking into first?

  Is the role password protected ? You can check with :
  select * from dba_roles where role = 'GL_ADMIN';Password protected roles are no more enabled by default since 10.2.0.5: see Oracle Patchset 10.2.0.5.0 impact on password enabled roles

• Role Privillege Issue

  Hi Experts,
  I created 1 schema say X then i given dba role to it
  I imported data to that schema
  I compiled then i am getting alot of invalidations regarding the DBA_tables/sys objects that Iam accessing inside the pkg,view..etc in the X schema
  GRANTED_ROLES         
  DBA                  
  EXECUTE_CATALOG_ROLE 
  EXP_FULL_DATABASE    
  IMP_FULL_DATABASE    
  JAVAUSERPRIV         
  SELECT_CATALOG_ROLE  
  IMP_FULL_DATABASE what are the other roles/privilages i need, inorder to access dba/sys objects like
  dba_jobs_running,dbms_aq,dbms_pipe,dbms_alert,v$session,v$process,V$timer,dbms_lock.. etc objects.
  In one go can i give the accessability to dba/sys objects??
  note:
  A replica of X schema exist on the same instance without this issue ...
  regards,
  john

  jpy wrote:
  Hi Experts,
  I created 1 schema say X then i given dba role to it
  I imported data to that schema
  I compiled then i am getting alot of invalidations regarding the DBA_tables/sys objects that Iam accessing inside the pkg,view..etc in the X schema
  GRANTED_ROLES         
  DBA                  
  EXECUTE_CATALOG_ROLE 
  EXP_FULL_DATABASE    
  IMP_FULL_DATABASE    
  JAVAUSERPRIV         
  SELECT_CATALOG_ROLE  
  IMP_FULL_DATABASE what are the other roles/privilages i need, inorder to access dba/sys objects like
  dba_jobs_running,dbms_aq,dbms_pipe,dbms_alert,v$session,v$process,V$timer,dbms_lock.. etc objects.
  In one go can i give the accessability to dba/sys objects??
  note:
  A replica of X schema exist on the same instance without this issue ...
  regards,
  johnlogin to the user(replica of x schema) and select * from session_privs;
  eg:-
  SQL> conn test/test;
  Connected.
  SQL> select * from session_privs;
  PRIVILEGE
  CREATE SESSION
  UNLIMITED TABLESPACE
  CREATE TABLE
  CREATE CLUSTER
  CREATE SEQUENCE
  CREATE PROCEDURE
  CREATE TRIGGER
  CREATE TYPE
  CREATE OPERATOR
  CREATE INDEXTYPEgrant all the privilege to the user X.
  if you import any user object to another user object it will automatically grant the existing privilege to the user .
  the problem is , you granted dba privilege to user x. Revoke it and grant only the privileges of replica user.
  else drop user and import the user again without granting any privilege, you will get the same exact copy as it is.

• Role Import - Issue

  Hi All,
  We have a Logical System Group for ECC. Now this group has 3 connectors.
  I am uploading the roles into GRC system from one of the 3 connectors defined under logical system group.
  I downloaded the Role authorization file and Role attributes file from target system and updated with required details.
  I imported these roles into GRC 10 by selecting below options.
  Roles are imported without any issues. But when I open the role i can see that my role has all the connectors attached to it which are part of ECC logical system group as shown below.
  I have maintained all the roles status as"DEV" so as to not allow them to be available during access request creation. Now issue is the roles which belongs to 200 client are not coming when I search for during access request creation as I disabled them. But my connector 200 is added to all other roles which belongs to connectors 10 and 100.
  When i search for roles with connector 200, I am now getting the roles from other connectors.
  My requirement is though i upload roles against logical group, role should be tagged only to connector to which it belongs and not to all the connectors in that logical group.
  Am I doing anything wrong here ? Please help.
  Regards,
  Sai.

  Hi Sai,
  roles are uploaded to specified environment.
  You can select in which systems role will be available to select in access request.
  Try to upload template with three records for every role. Every record should have "Overwrite" set to "Y". Only difference will be in system and provisioning columns. See attached screen.
  Regards,
  Rafal

• Role design issue in regarding SU01 and UserGroups

  Hi Experts,
  I got a requirement to set up a custom role in regarding SU01 access and User groups. Create a role that allows users with this role to go to SU01 but only is allowed to lock/unlock account or reset password. Also should be able to do only with their particular group, not for all groups.
  Suppose consider a scenario, we have 2 groups called India with 4 members and America with 5 members. Now admin of India group can only restrict those 4 people, should not have access to users of America group.
  I have tried in a way that, created a role with one tcode SU01 in Menu tab and fields Activity:05 , Group Name: Test_group for S_USER_GRP object. Now assigned this role to a user(TEST1) and also mentioned the group name in Logon tab.So he will be the admin for group "Test_Group". in this way he is able to do lock/unlock account and pwd reset for all group members not only for Test_Group. I am not getting Where I am doing the mistake.
  Please help me out to solve this issue.
  Thanks in advance.

  As you suggested,I have created a role with only one tcode  SU01 and for S_USER_GRP I have given in the following way:
  Activity: 05
  Group name: Test_Group
  and assigned this to user(Test1).
  We have other groups like Test_Group1,Test_Group2 etc. But User(Test1) still able to do changes for Test_Group1 and T_Group2 rather than Test_Group

• Where to find tutorial for oracle.security.jazn , specially role granting?

  Hi
  Thank you for reading my post
  where i can find references about oracle.security.jazn and its classes and interfaces ?
  i am stucked with granting roles that i created in admin console or from within my application to users ?
  where is this package javadocs ?
  thanks

  Thanks for giving the link
  is there any way that i add this javadocs to Jdeveloper IDE for quick javadoc facilities ?
  where i can download its zip/jar package for offline IDE use ?
  which jdeveloper predefined library contains oracle.security.jazn ?
  thank you again